Monday, January 19, 2015

ISE 1.3 + vWLC 7.6 - BYOD (Single SSID) Step-by-Step Guide

In my previous post we have ISE 1.3 and vWLC 7.6 setup with basic 802.1x configration, in this post we are going to go further to configure EAP-TLS certificate base authentication using ISE internal CA, a new feature introduced in 1.3.  We are also going to configure the self onboarding capability, which allows the end users can register their own devices and install certificate on their own devices.

1.  First of all, configure Captive Bypass on WLC so that the captive portal will not automatically prompt up when you connect the BYOD SSID.  It has to be done using CLI.

config network web-auth captive-bypass enable

And you need to reload your vWLC after config this.

2.  ISE > Administration > Network Resources > Network Devices, add your vWLC. is my vWLC IP address.

3. We are going to use the ISE internal CA to sign the endpoint cert, therefore no external identity source is needed.  Administration > Identity Management > Identity Source Sequences to add a new Identity Source Sequence.

4.  ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols to create a new Allowed Protocols Services List.

5. ISE > Policy > Authentication to add a new authentication policy.

6. ISE > Policy > Policy Elements > Results > Authorization > Authorization Profiles to create 2 authorization profiles, one for full network access and the other dedicated to supplicant provisioning

Create ACL on vWLC to permit all for users after authentication.
Create another authorization profiles for supplicant provisioning.
Create ACL on vWLC to allow access to DNS and ISE BYOD portal during the supplicant provisioning stage.

Make sure your ISE FQDN is resolvable from DNS.  I have added a DNS host record in my DNS server 

7. ISE > Policy > Authorization to add two rules.  The rule "Employee Personal Device" and "Reg with ISE TLS".  For those devices that are not registered before, it will be redirected to the BYOD portal and install the certificate on the devices.

8.  ISE > Policy > Client Provisioning, I am an iPhone users and I have only configured iOS in my lab.  For other platforms it should be similar.

9.  Since I am using FlexConnect, make sure you have created the FlexConnect ACL otherwise the client cannot reach the ISE page:

This is the Screen Capture on my iPhone when it first connects to the BYOD SSID.

ISE 1.3 + vWLC 7.6 - Basic 802.1x Configuration for Wireless Devices

I have setup ISE 1.3 + vWLC 7.6 in my lab virtually on my UCS server.  Good thing is now ISE 1.3 comes with a OVA, which you can deploy and use immediately without lengthy installation.  It still needs to go through a wizard and need some time to initialize the database, but comparatively easier than pervious release.  vWLC also comes with a evaluation license that you can test things out after you accept the EULA.  Here is a step-by-step guide to configure basic 802.1x authentication for wireless devices using ISE local DB.

1.  Add ISE as Authentication Server, is my ISE IP address.
2. Add ISE as Accounting Server
3. Add a WLAN, the SSID of my testing WLAN is DW-BYOD
Remember to enable AAA Override, choose Radius NAC under NAC state and check DHCP Profiling (this is just used to feed info to my ISE for device profiling).  In my lab I am using FlexConnect local switching therefore you can see I have checked that checkbox.

4.  Create Users on ISE, now I am going to use the ISE local database.

Done!  You should now able to access your SSID using the user credentials that you have created in ISE local database.  

The next post we will go a step further, to configure BYOD with EAP-TLS and self on-boarding capability.